Name:Shai-Hulud Workflow File Creation or Modification id:6b4a0a7f-10d1-4d72-9c4c-5c6a3d9f9d6a version:1 date:2025-11-25 author:Michael Haag, Splunk status:production type:TTP Description:Detects creation or deletion of malicious GitHub Actions workflow files associated with
Shai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml,
the 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted
runners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These
files are used to exfiltrate credentials and propagate across repositories.
Data_source:
-Sysmon for Linux EventID 11
-Sysmon EventID 11
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
how_to_implement:The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain filesystem events, specifically file creation
and deletion events. These logs must be processed using the appropriate Splunk
Technology Add-ons that are specific to the EDR product. The logs must also be
mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common
Information Model (CIM) to normalize the field names and speed up the data modeling
process.
known_false_positives:Very low. Legitimate usage of a file with this exact name is unlikely; validate with repository owners.
References: -https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack -https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/ -https://github.com/SigmaHQ/sigma/pull/5658/files -https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'NPM Supply Chain Compromise' asset_type:Endpoint mitre_attack_id: - 'T1574.006' - 'T1554' - 'T1195' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
